Financial services companies have been a popular target for cybercriminals for a long time. Not without good reason, since beyond working with money, financial companies handle a slew of sensitive client data that criminals utilise in various fraud schemes or sell-off on dark web bazaars. According to Verizon’s 2020 Data Breach Investigations Report, in the past year alone the financial industry has suffered more than 1,500 incidents, with 448 confirmed data disclosures.
Carey van Vlaanderen, CEO of ESET says that in addition to the long-standing threats, most companies have had to contend with the rapid transition to remote work. “The shift happened on extremely short notice, leaving companies with little time to deploy adequate cybersecurity measures or to prepare employees for looming cyberthreats. And while the pandemic will eventually subside, remote work looks like it’s here to stay. This will of course add to the list of challenges that companies need to cope with when they are preparing their cybersecurity plans and policies.”
ESET has rounded up five of the key factors why organisations struggle with cybersecurity:
While many companies may be on the hunt for either seasoned or up-and-coming cybersecurity professionals to join their ranks and help them establish a defensive perimeter against various threats, there just aren’t enough of them to go around. In fact, although the cybersecurity workforce gap has shrunk for the first time in years, there is still a global shortage of 3.12 million workers. “Actually, to make up the global talent shortfall, the employment levels would need to grow by 89% worldwide. So, to attract the best and brightest cybersecurity minds, companies will have to offer competitive salaries and fulfilling work opportunities,” say van Vlaanderen.
A key area that is preventing companies from tackling cyberthreats head-on is that they have insufficient budgets allocated to cybersecurity. According to a survey conducted by consulting firm Ernst and Young, 87% of surveyed organisations said that they did not have a sufficient budget to achieve the levels of cybersecurity and resilience they were aiming for.
“The lack of resources means that companies can’t hire enough cybersecurity talent or institute technical measures they need to be resilient when facing off against various cyber threats. With challenges like this in mind, ESET has recently launched ESET Protect*. It’s important to stay up to date on what’s available to your business and ensure that the team entrusted with your cybersecurity needs understand your business properly to be make suitable recommendations.”
Overestimating their own cybersecurity
One common mistake companies make is that they overestimate how good their cybersecurity measures are. While they may believe that they are on top of things, companies may not have the best vulnerability patch-management policies in place.
Lack of awareness training
“Another common occurrence that undermines a company’s cybersecurity is that employees do not receive enough cybersecurity awareness training. Arguably the risks of employees being tricked into downloading malware or parting with their company credentials have been amplified due to the COVID-19-powered shift to remote work so it’s essential to send them updates and flag anything.”
According to a study conducted by the Ponemon Institute, although companies have registered a surge in cyberattacks during the pandemic (including phishing and social engineering attacks), 24% of respondents felt that their organisations have not provided sufficient training about risks associated with remote work. Worryingly, the study also discovered that over half of the companies had no security policies at all covering requirements for remote employees.
Underestimating the value of cybersecurity
Some organisations underestimate the value of cybersecurity for their business and instead opt to invest in other aspects they deem more worthwhile, such as financing expansions or developing new products. They could argue that the costs outweigh the benefits, such as the cost of cybersecurity measures outweighing potential losses from a data breach.
“While the potential fines and losses may be lower in the short term, the reputational damage could lead to greater fallout including losing client trust, which would hit revenue streams. Alternatively, if successful, cybercriminals could gain access to intellectual property that they could sell along with the client data on the dark web. Cybersecurity shouldn’t be an afterthought as it serves to protect both the company and its clients – and this I cannot stress enough.”
Any combination of the aforementioned factors could spell a perfect storm for most organisations when faced with a cyberattack. On the bright side, financial services companies have begun taking cybersecurity concerns seriously on the highest level. Global management consulting firm McKinsey found that 95% of the board committees that they surveyed say they discuss cyber-risks and tech risks at least four times a year.
“It’s worth noting that building awareness in top management has to go hand in hand with investing adequate sums in cybersecurity solutions and training personnel to the best possible standards,” concludes van Vlaanderen.
Note: To help your colleagues and company learn how to stay secure, ESET is currently offering free cybersecurity training online.
The training will cover:
- Email protection: What to look for, what to avoid.
- Web protection: Wi-Fi, IoT and search engine security.
- Social engineering: How to recognise scams, what to do.
- Threat overview: Malware, phishing & insider threats.
- Password policies: Best practices like 2FA, and how to avoid it.
To find out more, click here.